The Jupiter X Core plugin for WordPress is vulnerable to Local File Inclusion to Remote Code Execution in all versions up to, and including, 4.8.7 via the get_svg() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. In this specific case, an attacker can create a form that allows SVG uploads, upload an SVG file with malicious content and then include the SVG file in a post to achieve remote code execution. This means it is relatively easy to gain remote code execution as a contributor-level user and above by default.
Vulnerable versions of the Jupiter (<= 6.10.1) and JupiterX (<= 2.0.6) Themes allow logged-in users, including subscriber-level users, to perform Path Traversal and Local File inclusion. In the JupiterX theme, the jupiterx_cp_load_pane_action AJAX action present in the lib/admin/control-panel/control-panel.php file calls the load_control_panel_pane function. It is possible to use this action to include any local PHP file via the slug parameter. The Jupiter theme has a nearly identical vulnerability which can be exploited via the mka_cp_load_pane_action AJAX action present in the framework/admin/control-panel/logic/functions.php file, which calls the mka_cp_load_pane_action function.
Jupiter Theme <= 6.10.1 and JupiterX Core Plugin <= 2.0.7 allow any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges via the "abb_uninstall_template" (both) and "jupiterx_core_cp_uninstall_template" (JupiterX Core Only) AJAX actions
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in artbees JupiterX allows PHP Local File Inclusion.This issue affects JupiterX: from n/a through 3.0.0.
The Jupiter X Core plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the sync_libraries() function in all versions up to, and including, 4.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to sync libraries
The Jupiter X Core plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_popup_action() function in all versions up to, and including, 4.8.5. This makes it possible for unauthenticated attackers to export popup templates.
Missing Authorization vulnerability in Artbees JupiterX Core.This issue affects JupiterX Core: from 3.0.0 through 3.3.0.
Customizing functionality of SAP NetWeaver AS ABAP Platform (fixed in versions from 7.0 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.53, from 7.74 to 7.75) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Arbitrary Plugin Installation in all versions up to, and including, 1.1.30. This is due to missing capability checks on the activated_plugin function. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the server which can make remote code execution possible.
The e-School from Ventem has a Missing Authorization vulnerability, allowing remote attackers with regular privilege to access administrator functions, including creating, modifying, and deleting accounts. They can even escalate any account to system administrator privilege.
The SEO Metrics plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization checks in both the seo_metrics_handle_connect_button_click() AJAX handler and the seo_metrics_handle_custom_endpoint() function in versions 1.0.5 through 1.0.15. Because the AJAX action only verifies a nonce, without checking the caller’s capabilities, a subscriber-level user can retrieve the token and then access the custom endpoint to obtain full administrator cookies.
The Dataverse Integration plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization checks within its reset_password_link REST endpoint in versions 2.77 through 2.81. The endpoint’s handler accepts a client-supplied id, email, or login, looks up that user, and calls get_password_reset_key() unconditionally. Because it only checks that the caller is authenticated, and not that they own or may edit the target account, any authenticated attacker, with Subscriber-level access and above, can obtain a password reset link for an administrator and hijack that account.
HashiCorp Nomad and Nomad Enterprise 1.5.0 allow a job submitter to escalate to management-level privileges using workload identity and task API. Fixed in 1.5.1.
The Ultimate WP Mail plugin for WordPress is vulnerable to Privilege Escalation due to improper authorization within the get_email_log_details() AJAX handler in versions 1.0.17 to 1.3.6. The handler reads the client-supplied post_id and retrieves the corresponding email log post content (including the password-reset link), relying only on the ‘edit_posts’ capability without restricting to administrators or validating ownership. This makes it possible for authenticated attackers, with Contributor-level access and above, to harvest an admin’s reset link and elevate their privileges to administrator.
Missing Authorization vulnerability in Jean-David Daviet Download Media.This issue affects Download Media: from n/a through 1.4.2.
The Hydra Booking plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the tfhb_reset_password_callback() function in versions 1.1.0 to 1.1.18. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the password of an Administrator user, achieving full privilege escalation.
Rapid7 Velociraptor allows users to be created with different privileges on the server. Administrators are generally allowed to run any command on the server including writing arbitrary files. However, lower privilege users are generally forbidden from writing or modifying files on the server. The VQL copy() function applies permission checks for reading files but does not check for permission to write files. This allows a low privilege user (usually, users with the Velociraptor "investigator" role) to overwrite files on the server, including Velociraptor configuration files. To exploit this vulnerability, the attacker must already have a Velociraptor user account at a low privilege level (at least "analyst") and be able to log into the GUI and create a notebook where they can run the VQL query invoking the copy() VQL function. Typically, most users deploy Velociraptor with limited access to a trusted group (most users will be administrators within the GUI). This vulnerability is associated with program files https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go https://github.Com/Velocidex/velociraptor/blob/master/vql/filesystem/copy.go and program routines copy(). This issue affects Velociraptor versions before 0.6.7-5. Version 0.6.7-5, released January 16, 2023, fixes the issue.
Missing Authorization vulnerability in XLPlugins NextMove Lite.This issue affects NextMove Lite: from n/a through 2.17.0.
Missing Authorization vulnerability in Leevio Happy Addons for Elementor.This issue affects Happy Addons for Elementor: from n/a through 3.10.1.
Several WordPress plugins developed by Cool Plugins are vulnerable to arbitrary plugin installation and activation that can lead to remote code execution by authenticated attackers with minimal permissions, such as a subscriber.
The WCFM Marketplace plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 3.4.11 due to missing capability checks on various AJAX actions. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to perform a wide variety of actions such as modifying shipping method details, modifying products, deleting arbitrary posts, and privilege escalation (via the wp_ajax_wcfm_vendor_store_online AJAX action).
The aapanel WP Toolkit plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization checks within the auto_login() function in versions 1.0 to 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to bypass all role checks and gain full admin privileges.
The Addon Library plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the onAjaxAction function action in all versions up to, and including, 1.3.76. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform several unauthorized actions including uploading arbitrary files.
Missing Authorization vulnerability in ONTRAPORT Inc. PilotPress.This issue affects PilotPress: from n/a through 2.0.30.
The B1.lt plugin for WordPress is vulnerable to SQL Injection due to a missing capability check on the b1_run_query AJAX action in all versions up to, and including, 2.2.56. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute and run arbitrary SQL commands.
The WP Human Resource Management plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization in the ajax_insert_employee() and update_empoyee() functions in versions 2.0.0 through 2.2.17. The AJAX handler reads the client-supplied $_POST['role'] and, after basic cleaning via hrm_clean(), passes it directly to wp_insert_user() and later to $user->set_role() without verifying that the current user is allowed to assign that role. This makes it possible for authenticated attackers, with Employee-level access and above, to elevate their privileges to administrator.
Smart Parking Management System from Honding Technology has a Missing Authorization vulnerability, allowing remote attackers with regular privileges to access a specific functionality to create administrator accounts, and subsequently log into the system using those accounts.
The Realty Portal – Agent plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the rp_user_profile() AJAX handler in versions 0.1.0 through 0.3.9. The handler reads the client-supplied meta key and value pairs from $_POST and passes them directly to update_user_meta() without restricting to a safe whitelist. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the wp_capabilities meta and grant themselves the administrator role.
The Droip plugin for WordPress is vulnerable to unauthorized modification and access of data due to a missing capability check on the droip_post_apis() function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform many actions as the AJAX hooks to several functions. Some potential impacts include arbitrary post deletion, arbitrary post creation, post duplication, settings update, user manipulation, and much more.
Missing Authorization vulnerability in Code for Recovery 12 Step Meeting List.This issue affects 12 Step Meeting List: from n/a through 3.14.28.
A missing permission check in an HTTP endpoint in Jenkins docker-build-step Plugin 2.11 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified TCP or Unix socket URL, and to reconfigure the plugin using the provided connection test parameters, affecting future build step executions.
Missing Authorization vulnerability in Nikolay Strikhar WordPress Form Builder Plugin – Gutenberg Forms.This issue affects WordPress Form Builder Plugin – Gutenberg Forms: from n/a through 2.2.8.3.
Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Web Server). Supported versions that are affected are 7.0.0.0.0, 7.6.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in takeover of Oracle BI Publisher. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing a given operation. The API endpoints within the HAX CMS application check if a user is authenticated, but don't check for authorization before performing an operation. This is fixed in versions 11.0.14 of haxcms-nodejs and 11.0.9 of haxcms-php.
The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the update_users_role() function in all versions up to, and including, 5.3.0.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an administrator
Missing Authorization vulnerability in MDJM Mobile DJ Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Mobile DJ Manager: from n/a through 1.7.6.
The GetBookingsWP – Appointments Booking Calendar Plugin For WordPress plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.27. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
The WordPress Awesome Import & Export Plugin - Import & Export WordPress Data plugin for WordPress is vulnerable arbitrary SQL Execution and privilege escalation due to a missing capability check on the renderImport() function in all versions up to, and including, 4.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary SQL statements that can leveraged to create a new administrative user account.
The AI Power: Complete AI Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpaicg_save_image_media function in all versions up to, and including, 1.8.96. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload image files and embed shortcode attributes in the image_alt value that will execute when sending a POST request to the attachment page.
The Zox News - Professional WordPress News & Magazine Theme plugin for WordPress is vulnerable to unauthorized data modification. This vulnerability can lead to privilege escalation and denial of service conditions due to missing capability checks on the backup_options() and reset_options() functions in all versions up to and including 3.17.0. This vulnerability allows authenticated attackers with Subscriber-level access and above to update and delete arbitrary option values on the WordPress site. Attackers can exploit this issue to update the default user role for registration to Administrator and enable user registration, thereby gaining administrative access to the vulnerable site. Additionally, they could delete critical options, causing errors that may disrupt the site's functionality and deny service to legitimate users.
The WooCommerce Customers Manager plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the ajax_assign_new_roles() function in all versions up to, and including, 31.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
The Custom Login Page Styler – Login Protected Private Site , Change wp-admin login url , WordPress login logo , Temporary admin login access , Rename login , Login customizer, Hide wp-login – Limit Login Attempts – Locked Site plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the 'lps_generate_temp_access_url' AJAX action in all versions up to, and including, 7.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to login as other users such as subscribers.
The Royal Core plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'royal_restore_backup' function in all versions up to, and including, 2.9.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
The SKT Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the 'addLibraryByArchive' function in all versions up to, and including, 4.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files that make remote code execution possible.
The Croma Music plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'ironMusic_ajax' function in all versions up to, and including, 3.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
The Zox News theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'backup_options' and 'restore_options' function in all versions up to, and including, 3.16.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
The JobCareer | Job Board Responsive WordPress Theme theme for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability checks on multiple functions in all versions up to, and including, 7.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files, generate backups, restore backups, update theme options, and reset theme options to default settings.
The CRM WordPress Plugin – RepairBuddy plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.8120. This is due to the plugin not properly validating a user's identity prior to updating their email through the wc_update_user_data AJAX action. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to arbitrary file deletion due to a missing capability check on the callback function of the SurveyJS_DeleteFile class in all versions up to, and including, 1.12.17. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This function is still vulnerable to Cross-Site Request Forgery as of 1.12.20.
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the 'eh_crm_agent_add_user' AJAX action in all versions up to, and including, 3.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new administrative user accounts.